Installation and Upgrade Guides › Policy Server Installation Guide › Installing the Policy Server on UNIX Systems › How to Install the Policy Server on UNIX
How to Install the Policy Server on UNIX
To install the Policy Server, complete the following steps:
- Review the Policy Server component considerations.
- Review the policy store considerations.
- Review the FIPS considerations.
- Gather information for the Policy Server installer.
- Run the Policy Server installer.
- (Linux) If Security–Enhanced Linux is enabled, add CA SiteMinder®–specific exceptions.
- (Optional) If you configured SNMP, restart the SNMP daemon.
Policy Server Component Considerations
In addition to the Policy Server, the installer can install and configure the following components. Review the following items before installing the Policy Server:
- OneView Monitor UI
The OneView Monitor enables the monitoring of CA SiteMinder® components.
Note: To use the OneView Monitor, you must have the supported Java SDK and ServletExec/AS installed on the system.
- SNMP
You must have the following items to enable SNMP support:
- The password of the root user.
- A native SunSolstice Master Agent.
- Policy store
Note: The key store and certificate data store are automatically configured and collocated with the policy.
- Audit logs
You can store audit logs in either a relational database or a text file. After you install the Policy Server, audit logging is set to a text file and not to ODBC by default.
Note: For a list of supported CA and third-party components, refer to the CA SiteMinder® 12.52 SP1 Platform Support Matrix on the Technical Support site.
More information:
Locate the Platform Support Matrix
Certificate Data Store
Policy Store
Policy Store Considerations
Consider the following items before running the Policy Server installer or the Policy Server Configuration wizard:
- The Policy Server installer and the Policy Server Configuration wizard can automatically configure one of the following stores as a policy store:
- Microsoft Active Directory Lightweight Directory Services (AD LDS)
Note: Be sure that you have met the prerequisites for configuring AD LDS as a policy store.
- Oracle® Directory Enterprise Edition (formerly Sun Java™ System Directory Server)
Important! The Policy Server installer and the Policy Server Configuration wizard cannot automatically configure a policy store that is being connected to using an SSL connection.
- Microsoft SQL Server®
- Oracle RDBMS
- (RDB policy store) The Policy Server installer or the Policy Server Configuration Wizard use specific database information to create the policy store data source. The Policy Server uses this data source to communicate with the policy store. Consider the following items:
- The name of data source is CA CA SiteMinder® DSN.
- The installer saves the data source to the system_odbc.ini file, which is located in siteminder_home/db.
- siteminder_home
-
Specifies the Policy Server installation path.
- (RDB policy store) Verify that the database server that is to host the policy store is configured to store objects in UTF–8 form. This configuration avoids possible policy store corruption.
- (Oracle) Be sure that the database is configured to store objects in UTF–8 form. Oracle supports unicode within many of their character sets. For more information about configuring your database to store objects in UTF–8 form, see your vendor–specific documentation.
- (SQL Server) Be sure that the database is configured using the default collation (SQL_Latin1_General_CP1_CI_AS). Using a collation that is case–sensitive can result in unexpected behaviors. For more information about configuring your database to store objects using the default collation, see your vendor–specific documentation.
- The certificate data store is automatically collocated with the policy store.
- You manually configure any other supported directory server or relational database as a policy store after installing the Policy Server. Configuring a policy store manually is detailed in this document.
More information:
Configuring CA SiteMinder® Data Stores in a Relational Database
FIPS Considerations
The Policy Server uses certified Federal Information Processing Standard (FIPS) 140-2 compliant cryptographic libraries. FIPS is a US government computer security standard that is used to accredit cryptographic modules that meet the Advanced Encryption Standard (AES). The libraries provide a FIPS mode of operation when a CA SiteMinder® environment only uses FIPS-compliant algorithms to encrypt sensitive data.
You can install the Policy Server in one of the following FIPS modes of operation.
Note: The FIPS mode a Policy Server operates in is system-specific. For more information, see the CA SiteMinder® 12.52 SP1 Platform Support Matrix on the Technical Support site.
- FIPS-compatibility mode—The default FIPS mode of operation during the installation is FIPS-compatibility mode. In FIPS-compatibility mode, the environment uses existing CA SiteMinder® algorithms to encrypt sensitive data and is compatible with previous versions CA SiteMinder®:
- The use of FIPS-compliant algorithms in your environment is optional.
- If your organization does not require the use of FIPS-compliant algorithms, install the Policy Server in FIPS-compatibility mode. No further configuration is required.
- FIPS-migration mode—FIPS-migration mode lets you transition an 12.52 SP1 environment running in FIPS-compatibility mode to FIPS-only mode.
In FIPS-migration mode, the 12.52 SP1 Policy Server continues to use existing CA SiteMinder® encryption algorithms as you migrate the 12.52 SP1 environment to use only FIPS-compliant algorithms.
Install the Policy Server in FIPS-migration mode if you are in the process of configuring the existing environment to use only FIPS-compliant algorithms.
- FIPS-only mode—In FIPS-only mode, the environment only uses FIPS-compliant algorithms to encrypt sensitive data.
Install the Policy Server in FIPS-only mode if the existing environment is upgraded to 12.52 SP1 and the existing environment is configured to use only FIPS-compliant algorithms.
Important! A 12.52 SP1 environment that is running in FIPS-only mode cannot operate with versions of CA SiteMinder® that do not also fully support FIPS (that is, versions before r12.0). This restriction applies to all agents, custom software using older versions of the Agent API, and custom software using PM APIs or any other API that the Policy Server exposes. Relink all such software with the 12.52 SP1 versions of the respective SDKs to achieve the required FIPS support.
Note: For more information about migrating an environment to use only FIPS-compliant algorithms, see the Upgrade Guide.
More information:
Locate the Platform Support Matrix
Gather Information for the Installer
The Policy Server installer requires specific information to install the Policy Server and any optional components.
Required Information
Gather the following required information before running the Policy Server installer or the Configuration wizard.
Active Directory LDS Server Information
Gather the following required information to configure Microsoft Active Directory LDS as a policy store:
- System IP address—Identify the IP address of the directory server host system.
- Port number—Identify the port number on which the directory server is listening.
- Root DN of the application partition—Identify the root DN location of the application partition in the directory server where the policy store schema data must be installed.
Example: dc=ca,dc=com
- Administrator domain name—Identify the full domain name, including the guid value, of the directory administrator.
Example: CN=user1,CN=people,CN=Configuration,CN=guid
- Administrator password—Identify the password of the directory administrator.
- Alternate user account—By default, CA SiteMinder® uses the administrator account to communicate with the directory server. However, you can use a different user account to administer the policy store. Identify the complete administrator DN and password to configure CA SiteMinder® to use an alternative user account to administer the policy store.
Note: This user must have the necessary permissions to modify attributes and change passwords.
- CA SiteMinder® superuser password—The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:
siteminder
Limits:
- The password must contain at least six (6) characters and cannot exceed 24 characters.
- The password cannot include an ampersand (&) or an asterisk (*).
- If the password contains a space, enclose the passphrase with quotation marks.
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
Oracle Directory Server Information
Gather the following required information to configure Oracle Directory Server to function as a policy store:
- System IP address—Determine the IP address of the Oracle Directory Server host system.
- Directory instance port number—Determine the port number for the Oracle Directory Server instance.
Default: 389
- Root DN—Identify the root DN of the Oracle Directory Server.
Example: o=yourorg.com
- Administrator account—Identify the user name (Bind DN) for the LDAP administrator account.
Example: cn=Directory Manager
- Administrator password—Identify the password for the Oracle Directory Server administrator.
- Alternate LDAP administrator—By default, CA SiteMinder® uses the LDAP administrator account to communicate with the LDAP server. However, you can use a different LDAP user account to administer the policy store. Identify the complete administrator DN and password to configure CA SiteMinder® in this way.
Note: This user must have the necessary permissions to modify attributes and change passwords.
- CA SiteMinder® superuser password—The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:
siteminder
Limits:
- The password must contain at least six (6) characters and cannot exceed 24 characters.
- The password cannot include an ampersand (&) or an asterisk (*).
- If the password contains a space, enclose the passphrase with quotation marks.
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
Microsoft SQL Server Information
To configure Microsoft SQL Server as a policy store, gather the following required information:
- Database server name
-
Identify the IP address or name of the database host system.
Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.
- Database name
-
Identify the named instance or the name of the database that is to function as the policy store.
- Database port
-
Identify the port on which the database is listening.
- Database administrator user name and password
-
Identify the name and password of an administrator account with permission to do the following operations:
- Create schema
- Create, read, modify, and delete objects.
Note: If the CA SiteMinder® schema is already present in the database, the wizard does not require the credentials of a database administrator with create permission. For more information, see Configure a SQL Server Policy Store.
- CA SiteMinder® superuser password
-
The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:
siteminder
Limits:
- The password must contain at least six (6) characters and cannot exceed 24 characters.
- The password cannot include an ampersand (&) or an asterisk (*).
- If the password contains a space, enclose the passphrase with quotation marks.
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
Oracle RDBMS Information
Gather the following required information to configure Oracle RDBMS as a policy store.
- Database server name
-
Identify the IP address or the name of the database host system.
Note: For more information about IPv6 support, see the CA SiteMinder® Platform Support Matrix.
- Database service name
-
Identify the service name of the database that is to function as the policy store.
- Database port
-
Identify the port on which the database is listening.
- Database administrator user name
-
Identify the name of an administrator account with permission to do the following operations:
- Create schema
- Create, read, modify, and delete objects.
- Database administrator password
-
Identify the password of the administrator account.
- CA SiteMinder® superuser password
-
The default CA SiteMinder® superuser account has maximum permissions. Determine the password for the default superuser account. The name of the default account is:
siteminder
Limits:
- The password must contain at least six (6) characters and cannot exceed 24 characters.
- The password cannot include an ampersand (&) or an asterisk (*).
- If the password contains a space, enclose the passphrase with quotation marks.
Note: We recommend that you do not use the default superuser for day-to-day operations. Rather, use the default superuser to access the Administrative UI for the first–time and then create an administrator with superuser permissions.
OneView Monitor Information
You only have to gather OneView Monitor information if you plan on configuring the OneView Monitor.
Gather the following required information to configure the OneView Monitor. You can use the OneView Monitor Information Worksheet to record your values.
Install the Policy Server in GUI Mode
Install the Policy Server using the installation media on the Technical Support site. Consider the following items:
Follow these steps:
- Exit all foreground applications.
- Open a shell and navigate to the installation media.
- Enter the following command:
./ca-ps-12.5-cr-unix_version
- cr
-
Specifies the cumulative release number. The base r12.5 release does not include a cumulative release number.
- unix_version
-
Specifies the UNIX version: sol or linux.
The installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
- Use the system and component information you have gathered to install the Policy Server.
Consider the following items when running the installer:
- If you are installing the Policy Server for the first–time on this system, do not configure the OneView Monitor UI. The installer modifies the configuration files of the web server that is to host the UI. The smuser account does not have the required root privileges. After you install the Policy Server, use the Policy Server Configuration Wizard as root to configure the OneView Monitor UI.
- The installer prompts you to select a FIPS mode of operation. For more information about which FIPS mode to select, see FIPS Considerations.
- If you are configuring a policy store manually, clear the Policy Store option when selecting components. For more information about which stores can be automatically configured as a policy store, see Policy Store Considerations.
- If you are initializing a policy store, you are prompted to enter a password for the default CA SiteMinder® user account. The default account name is:
siteminder
- You are prompted to install the default certificate authority (CA) certificates to the certificate data store. You can add additional certificates and private keys to the certificate data store after installation.
- If you are using IPv6 addresses, surround entries with brackets.
Example:
[2001:db8::1428:57ab]
- If you cut and paste path information into the wizard, enter a character to enable the Next button.
- Review the installation settings and click Install.
The Policy Server and all selected components are installed and configured.
Note: The installation can take several minutes.
- Click Done.
The installer closes.
- (Optional) If you did not use the installer to configure a policy store, manually configure the policy.
Note: If you experience problems during the installation, you can locate the installation log file and the policy store details file in siteminder_home/siteminder/install_config_info.
Install the Policy Server in Console Mode
Install the Policy Server using the installation media on the Technical Support site. Consider the following items:
Follow these steps:
- Exit all applications that are running.
- Open a shell and navigate to the installation media.
- Run the following command:
./ca-ps-12.5-cr-unix_version -i console
- cr
-
Specifies the cumulative release number. The base r12.5 release does not include a cumulative release number.
- unix_version
-
Specifies the UNIX version: sol or linux.
The installer starts.
Note: For a list of installation media names, see the Policy Server Release Notes.
- Use the system and component information you have gathered to install the Policy Server.
Consider the following items when entering information:
- If you are installing the Policy Server for the first–time on this system, do not configure the OneView Monitor UI. The installer modifies the configuration files of the web server that is to host the UI. The smuser account does not have the required root privileges. After you install the Policy Server, use the Policy Server Configuration Wizard as root to configure the OneView Monitor UI.
- The installer prompts you to select a FIPS mode of operation. For more information about which FIPS mode to select, see FIPS Considerations.
- The installer prompts you to select components you want to configure. Separate entries with commas (,). To select none of the features, enter only a comma.
- If you are configuring a policy store manually, do not select Policy Store. For more information about which stores can be automatically configured as a policy store, see Policy Store Considerations.
- If you are initializing a policy store, you are prompted to enter a password for the default CA SiteMinder® user account. The default account name is:
siteminder
- You are prompted to install the default certificate authority (CA) certificates to the certificate data store. You can add additional certificates and private keys to the certificate data store after installation.
- If you are using IPv6 addresses, surround entries with brackets.
Example:
[2001:db8::1428:57ab]
- Only initialize the policy store when configuring a new policy store instance.
- Review the installation settings and press Enter.
The Policy Server and all selected components are installed and configured.
Note: The installation can take several minutes.
- Press Enter.
The installer closes.
- (Optional) If you did not use the installer to configure a policy store, manually configure the policy.
Note: If you experience problems during the installation, you can locate the installation log file and the policy store details file in siteminder_home/siteminder/install_config_info.
More information:
Locate the Installation Media
Troubleshoot the Policy Server Installation
Installation Media Names
Add Exceptions to Security–Enhanced Linux
If Security–Enhanced Linux is enabled on the Policy Server host system, add CA SiteMinder®–exceptions to the environment. Adding the exceptions prevents Security–Enhanced Linux text relocation denials.
Follow these steps:
- Log in to the Policy Sever host system.
- Open a shell and run the following command:
chcon -t textrel_shlib_t /siteminder_home/lib/*
- siteminder_home
-
Specifies the Policy Server installation path.
- Run the following command:
chcon -t textrel_shlib_t /JDK_home/lib/i386/*
- JDK_home
-
Specifies the required JDK installation path.
- Run the following command:
chcon -t textrel_shlib_t /JDK_home/lib/i386/server/*
- JDK_home
-
Specifies the required JDK installation path.
CA SiteMinder®–specific exceptions have been added.
Restart the SNMP Daemon
You only have to restart the SNMP daemon if you configured SNMP during the Policy Server installation.
To restart the SNMP daemon
- Enter S76snmpdx stop in /etc/rc3.d.
The SNMP daemon stops.
- Enter S76snmpdx start in /etc/rc3.d.
The SNMP daemon starts.
Copyright © 2014 CA.
All rights reserved.
|
|